SecDocs papers feedhttp://www.secdocs.org/Latest papers RSS feed.en-usWed, 24 Sep 2014 21:00:03 +0000[Paper] Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attackshttp://www.secdocs.org/docs/heat-of-the-moment-characterizing-the-efficacy-of-thermal-camera-based-attacks-paper/<b>Tags</b>: side channel<br/>Wed, 24 Sep 2014 21:00:03 +0000http://www.secdocs.org/docs/heat-of-the-moment-characterizing-the-efficacy-of-thermal-camera-based-attacks-paper/[Paper] Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrowhttp://www.secdocs.org/docs/side-channel-leaks-in-web-applications-a-reality-today-a-challenge-tomorrow-paper/<b>Tags</b>: web application<br/><b>Abstract</b>: With software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is split into browser-side and server-side components. A subset of the application’s internal information flows are inevitably exposed on the network. We show that despite encryption, such a side-channel information leak is a realistic and serious threat to user privacy. Specifically, we found that surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search: an eavesdropper can infer the illnesses/medications/surgeries of the user, her family income and investment secrets, despite HTTPS protection; a stranger on the street can glean enterprise employees' web search queries, despite WPA/WPA2 Wi-Fi encryption. More importantly, the root causes of the problem are some fundamental characteristics of web applications: stateful communication, low entropy input for better interaction, and significant traffic distinctions. As a result, the scope of the problem seems industry-wide. We further present a concrete analysis to demonstrate the challenges of mitigating such a threat, which points to the necessity of a disciplined engineering practice for side-channel mitigations in future web application developments.<br/>Sun, 07 Sep 2014 21:00:03 +0000http://www.secdocs.org/docs/side-channel-leaks-in-web-applications-a-reality-today-a-challenge-tomorrow-paper/[Paper] XML Schema, DTD, and Entity Attackshttp://www.secdocs.org/docs/xml-schema-dtd-and-entity-attacks-paper/<b>Tags</b>: XML<br/>Mon, 28 Jul 2014 21:00:03 +0000http://www.secdocs.org/docs/xml-schema-dtd-and-entity-attacks-paper/[Paper] Secure Design Patternshttp://www.secdocs.org/docs/secure-design-patterns-paper/<b>Tags</b>: secure development<br/>Mon, 28 Jul 2014 21:00:02 +0000http://www.secdocs.org/docs/secure-design-patterns-paper/[Paper] STEAM VOIP Securityhttp://www.secdocs.org/docs/steam-voip-security-paper/<b>Tags</b>: vulnerability<br/>Mon, 07 Jul 2014 21:00:03 +0000http://www.secdocs.org/docs/steam-voip-security-paper/[Paper] Stamp Out Hash Corruption, Crack All The Thingshttp://www.secdocs.org/docs/stamp-out-hash-corruption-crack-all-the-things-paper/<b>Tags</b>: cracking<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: The precursor to cracking any password is getting the right hash. In this talk we are going to cover how we discovered that Cain and Able, Creddump, Metasploit and other hash extraction tools regularly yield corrupt hashes that cannot be cracked. We will take a deep dive into password extraction mechanics, the birth of a viral logic flaw that started it all and how to prevent corrupt hashes. At the conclusion of this talk we will release patches that prevent hash corruption in these tools that many security professionals use every day<br/>Tue, 24 Jun 2014 18:19:39 +0000http://www.secdocs.org/docs/stamp-out-hash-corruption-crack-all-the-things-paper/[Paper] The Last Gasp of the Industrial Air-Gap...http://www.secdocs.org/docs/the-last-gasp-of-the-industrial-air-gap-paper/<b>Tags</b>: SCADA<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: Industrial Systems are widely believed to be air-gapped. At previous Black Hat conferences, people have demonstrated individual utilities control systems directly connected to the internet. However, this is not an isolated incident of failure, but rather a disturbing trend. By visualising results from SHODAN over a 2 1/2 year period, we can see that there are thousands of exposed systems around the world. By using some goelocation, and vulnerability pattern matching to service banners we can see their rough physical location and the numbers of standard vulnerabilities they are exposed to.
This allows us to look at some statistics about the industrial system security posture of whole nations and regions. During the process of this project I worked with ICS-CERT to inform asset-owners of their exposure and other CERT teams around the world. The project has reached out to 63 countries, and sparked discussion of convergence towards the public internet of many insecure protocols and devices.<br/>Mon, 23 Jun 2014 14:39:01 +0000http://www.secdocs.org/docs/the-last-gasp-of-the-industrial-air-gap-paper/[Paper] ModSecurity as Universal Cross-platform Web Protection Toolhttp://www.secdocs.org/docs/modsecurity-as-universal-cross-platform-web-protection-tool-paper/<b>Tags</b>: WAF<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: For many years ModSecurity was a number one free open source web application firewall for the Apache web server. At this year's BlackHat we would like to announce that right now ModSecurity is also available for IIS and nginx servers, making it a first free cross-platform WAF for on-line services. Using MSRC response process and CVE-2011-3414 as an example, we will show how ModSecurity can be used in early detection of attacks and mitigation of vulnerabilities affecting web infrastructure. We will also show how OWASP ModSecurity Core Rule Set can be used as a base for detection of 0-day attacks on Apache, IIS and nginx servers.<br/>Wed, 18 Jun 2014 09:00:03 +0000http://www.secdocs.org/docs/modsecurity-as-universal-cross-platform-web-protection-tool-paper/[Paper] HTExploit Bypassing Htaccess Restrictionshttp://www.secdocs.org/docs/htexploit-bypassing-htaccess-restrictions-paper/<b>Tags</b>: web server<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: HTExploit is an open-source tool written in Python that exploits a weakness in the way that htaccess files can be configured to protect a web directory with an authentication process. By using this tool anyone would be able to list the contents of a directory protected this way, bypassing the authentication process.<br/>Fri, 13 Jun 2014 21:00:03 +0000http://www.secdocs.org/docs/htexploit-bypassing-htaccess-restrictions-paper/[Paper] Advanced Chrome Extension Exploitation - Leveraging API Powers for the Better Evilhttp://www.secdocs.org/docs/advanced-chrome-extension-exploitation-leveraging-api-powers-for-the-better-evil-paper/<b>Tags</b>: browser<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: Browser exploitation can seem to be a nearly unachievable task these days. ASLR, DEP, segregated processes and sandboxes have proven to be effective in abating exploits by attackers. Our expectation of browser security is so high, that in addition to bug bounty programs, competitions such as Pwn2Own and Pwnium have been formed around the core concept of weeding out dangerous bugs.
But even with all the current protections, there is still attack surface not being exploited. We are, of course, talking about Chrome Extensions security bugs. These bugs can lead to extremely powerful attacks, which can effectively allow an attacker to take over your browser. In our workshop, we will demonstrate the power given to an attacker in a presence of a vulnerable extension, and present a tool which will assist in their practical exploitation.<br/>Fri, 06 Jun 2014 09:00:03 +0000http://www.secdocs.org/docs/advanced-chrome-extension-exploitation-leveraging-api-powers-for-the-better-evil-paper/[Paper] Code Reviewing Web Application Framework Based Applications (Struts 2, Spring MVC, Ruby on Rails (Groovy on Grails), .NET MVC)http://www.secdocs.org/docs/code-reviewing-web-application-framework-based-applications-struts-2-spring-mvc-ruby-on-rails-groovy-on-grails-net-mvc-paper/<b>Tags</b>: code auditing<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: This workshop will give participants an opportunity to practically review Web Application Framework based applications for security vulnerabilities. The material in this workshop provides the hands-on experience that one would need to quickly understand each web application framework (Struts 2, Spring MVC, Ruby on Rails (Groovy on Grails), .NET MVC, Zend PHP, and Scala Play) and identify vulnerabilities in applications using those frameworks. Sample applications are provided with guided tasks to ease participants into understanding the nuances of each framework and the overall steps a code reviewer should follow to identify vulnerabilities.<br/>Thu, 05 Jun 2014 21:00:03 +0000http://www.secdocs.org/docs/code-reviewing-web-application-framework-based-applications-struts-2-spring-mvc-ruby-on-rails-groovy-on-grails-net-mvc-paper/[Paper] Web Tracking for Youhttp://www.secdocs.org/docs/web-tracking-for-you-paper/<b>Tags</b>: privacy<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: There has been a lot of conversation recently around the privacy degrading techniques used by shady online advertisers, faceless megacorps, and social network overlords to track users across the web. But, after all the recriminations and fancy infographics about the supposed loss of privacy, where does that leave people who need to implement tracking of website visitors? People seem so distracted with "punch the monkey" advertising cookies that they have lost a sense of the need to legitimately track and identify potential bad actors.
This talk is a technical examination of the tracking techniques that can be implemented to identify and track users via their web browsers. The key concepts of active and passive fingerprinting, tracking, and user unmasking are discussed in detail. From the humble browser cookie to more advanced techniques to sidestep private browsing modes, the most effective approaches are discussed in relation to the various web browsers across operating systems and desktop and mobile environments.
At the conclusion of the presentation, an open source tracking server will be released that implements the techniques covered in the talk. Additionally, several utilities to facilitate injection of tracking content and correlation of collected data will also be made available. These tools will be suitable to deploy on your network to track web users or on your local machine in a standalone "Track Yourself" mode.<br/>Wed, 04 Jun 2014 21:00:03 +0000http://www.secdocs.org/docs/web-tracking-for-you-paper/[Paper] Windows Phone 7 Internals and Exploitabilityhttp://www.secdocs.org/docs/windows-phone-7-internals-and-exploitability-paper/<b>Tags</b>: phone<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: Windows Phone 7 is a modern mobile operating system developed by Microsoft. This operating system -- based on Windows CE 6 -- protects the system and the user by modern sandbox and secure application model. These security models are veiled and were difficult to uncover but we succeeded to analyze and inspect not well-known Windows Phone 7 security internals by comprehensive reverse engineering.
This operating system is properly implemented which makes exploitation and privilege escalation extremely difficult. However, it does not mean exploitation is impossible. Even the sandbox can be breached on some latest Windows Phone 7.5 devices.
The first topic is Windows Phone 7 security analysis. In this presentation, I will talk how we analyzed the system and how Windows Phone 7 looks secure/unsecure along with examples.
The second topic is customizations by thirt-party vendors. Windows Phone 7-based devices by some vendors have special interfaces for system applications. Some interfaces however makes subverting sandbox easier because of various design/implementation issues such as directory traversal and improper privileged operations. I will talk about this kind of vulnerability along with its countermeasure.<br/>Tue, 03 Jun 2014 21:00:03 +0000http://www.secdocs.org/docs/windows-phone-7-internals-and-exploitability-paper/[Paper] We Have You by the Gadgetshttp://www.secdocs.org/docs/we-have-you-by-the-gadgets-paper/<b>Tags</b>: Windows<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: Why send someone an executable when you can just send them a sidebar gadget?
We will be talking about the windows gadget platform and what the nastiness that can be done with it, how are gadgets made, how are they distributed and more importantly their weaknesses. Gadgets are comprised of JS, CSS and HTML and are application that the Windows operating system has embedded by default. As a result there are a number of interesting attack vectors that are interesting to explore and take advantage of.
We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets.<br/>Fri, 30 May 2014 21:00:03 +0000http://www.secdocs.org/docs/we-have-you-by-the-gadgets-paper/[Paper] Trust, Security, and Societyhttp://www.secdocs.org/docs/trust-security-and-society-paper/<b>Tags</b>: security<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: Human societies run on trust. Every day, we all trust millions of people, organizations, and systems -- and we do it so easily that we barely notice. But in any system of trust, there is an alternative, parasitic, strategy that involves abusing that trust. Making sure those defectors don't destroy the very cooperative systems they're abusing is an age-old problem, and we've developed a variety of societal pressures to induce cooperation: moral systems, reputational systems, institutional systems, and security systems. Understanding how these different societal pressures work -- and fail -- is essential to understanding the problems we face in today's increasingly technological and interconnected world.<br/>Fri, 30 May 2014 09:00:03 +0000http://www.secdocs.org/docs/trust-security-and-society-paper/[Paper] Torturing OpenSSLhttp://www.secdocs.org/docs/torturing-openssl-paper/<b>Tags</b>: SSL<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: For any computing system to be secure, both hardware and software have to be trusted. If the hardware layer in a secure system is compromised, not only it is possible to extract secret information about the software, but it is also extremely difficult for the software to detect that an attack is underway.
This talk will detail a complete end-to-end security attack to on a microprocessor system and will demonstrate how hardware vulnerabilities can be exploited to target systems that are software-secure. Specifically, we present a side-channel attack to the RSA signature algorithm by leveraging transient hardware faults at the server. Faults may be induced via voltage-supply variation, temperature variation, injection of single-event faults, etc. When affected by faults, the server produces erroneous RSA signatures, which it returns to the client. Once a sufficient number of erroneously signed messages is collected at the client end, we filter those that can leak private key information and we use them to extract the private key. We developed an algorithm to extract the private RSA key from messages affected by single-bit faults in the multiplication during Fixed Window Exponentiation (FWE), that is, the standard exponentiation algorithm used in OpenSSL during RSA signing. Our algorithm was inspired by a solution developed by Boneh, et al. for the Chinese Remainder Theorem (CRT) [D. Boneh, R. DeMillo, and R. Lipton. On the importance of eliminating errors in cryptographic computations. Journal of Cryptology, Dec 2001], an algorithm particularly prone to attacks. Depending of the window size used in the encryption algorithm, it is possible to extract 4-6 bits of the private key from an erroneously signed message.
Our attack is perpetrated using a FPGA platform implementing a SPARC-based microprocessor running unmodified Linux and the OpenSSL authentication library. The server provides 1024-bits RSA authentication to a client we control via Ethernet connection. Faults are injected by inducing variations in the supply voltage on the FPGA platform or by subjecting the server to high temperatures. Our client collects a few thousands signed messages, which we transfer to an 80-machines computing pool to compute the private RSA key in less than 100 hours.
Note that our attack does not require access to the victim system's internal components, but simply proximity to it. Moreover, it is conceivable that an attack leveraging solely high temperatures can be carried out on machines in a remote poorly-conditioned server room. Finally, the attack does not leave any trail of the attack in the victim machine, and thus it cannot be detected.
The presentation includes a live demo of the attack on an FPGA platform implementing a SPARC system. The system is powered via a voltage controller, used to induce variations in the supply voltage. The server is simplified to use a 128-bits private key so that the attack can be perpetrated during the briefing.<br/>Thu, 29 May 2014 21:00:05 +0000http://www.secdocs.org/docs/torturing-openssl-paper/[Paper] The Subway Line 8 - Exploitation of Windows 8 Metro Style Appshttp://www.secdocs.org/docs/the-subway-line-8-exploitation-of-windows-8-metro-style-apps-paper/<b>Tags</b>: Windows<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: Windows 8 introduces lots of security improvements; one of the most interesting features is the Metro-style app. It not only provides fancy user interface, but also a solid application sandbox environment. All Metro-style applications run in AppContainer, and the AppContainer sandbox isolates the execution of each application. It can make sure that an App does not have access to capabilities that it hasn't declared and been granted by the user.
This presentation will introduce the design of Metro-style app as well as AppContainer sandbox. We will dive into details of the architecture and see how it works, how does it protect from a malicious App attack. After reviewing the design, we are going to look for possible attack vectors to bypass the sandbox. Analysis will start from low level to high level. We will describe how we find the target to attack, and how we do analyze in different layers, such as debug of APLC, COM server attack, WinRT API fuzzing, and logic flaw discovery. Not only the methodology, we will also demonstrate some problems we have discovered, including tricks to bypass AppContainer to access files, launch program, and connect to Internet.<br/>Tue, 27 May 2014 21:00:03 +0000http://www.secdocs.org/docs/the-subway-line-8-exploitation-of-windows-8-metro-style-apps-paper/[Paper] The Info Leak Era on Software Exploitationhttp://www.secdocs.org/docs/the-info-leak-era-on-software-exploitation-paper/<b>Tags</b>: exploiting<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: Previously, and mainly due to application compatibility. ASLR has not been as effective as it has been expected. Nowadays, once some of the problems to fully deploy ASLR has been solved, it has become the key mitigation preventing reliable exploitation of software vulnerabilities. Defeating ASLR is a hot topic in the exploitation world.
During this talk, it will be presented why other mitigations without ASLR are not strong ones and why if you defeat ASLR you mainly defeat the rest of them. Methods to defeat ASLR had been fixed lately and the current way for this is using information leak vulnerabilities.<br/>Mon, 26 May 2014 09:00:03 +0000http://www.secdocs.org/docs/the-info-leak-era-on-software-exploitation-paper/[Paper] Targeted Intrusion Remediation: Lessons From The Front Lineshttp://www.secdocs.org/docs/targeted-intrusion-remediation-lessons-from-the-front-lines-paper/<b>Tags</b>: incident response<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: Successfully remediating a targeted, persistent intrusion generally requires a different approach from that applied to non-targeted threats. Regardless of the remediation actions enacted by victim organizations, experience has shown that such threats will continue to target certain organizations. In order to be successful against these types of threats, organizations must change the way they think about remediation.<br/>Sat, 24 May 2014 21:00:03 +0000http://www.secdocs.org/docs/targeted-intrusion-remediation-lessons-from-the-front-lines-paper/[Paper] The Defense RESTs: Automation and APIs for Improving Securityhttp://www.secdocs.org/docs/the-defense-rests-automation-and-apis-for-improving-security-paper/<b>Tags</b>: technology<br/><b>Event</b>: Black Hat USA 2012<br/><b>Abstract</b>: Want to get better at security? Improve your ops and improve your dev. Most of the security tools you need aren't from security vendors, they don't even need to be commercial. You need tools like chef & puppet, jenkins, logstash + elasticsearch & splunk or even hadoop to name but a few. The key is to centralize management, automate and test. Testing is especially key, like Jeremiah says "Hack Yourself First". So many vulnerabilities can be detected automatically. Let the machines do that work and find the basic XSS, CSRF and SQLi flaws, not to mention buffer overflows, Save the manual effort for the more complex versions of the above attacks and for business logic flaws. This is one of those spaces that dedicated security tools are a must. Leverage APIs (and protect API endpoints), be evidence driven. Counter intuitively, deploy more often, with smaller change sets. Prepare for fail and fail fast but recover faster. Not just theory, will include real examples with real code including open protocols like netconf and open source software like dasein-cloud. There will be no discussion of APT, DevOps vs NoOps, BYOD or Cloud Security concerns, there will however be baked goods.<br/>Sat, 24 May 2014 09:00:05 +0000http://www.secdocs.org/docs/the-defense-rests-automation-and-apis-for-improving-security-paper/